If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Getting info off the net with UNIX/Linux

Hi

Please don't bann me for asking this question as it doesnt prevail to being malichous.
I would like to know how to retreive information off the net ..for example if I suspect an
intrusion how can I get better information on an attacker than just a subnet-mask or server IP or some non-resolved address.

I am thinking more along the lines of there address and internet details.

I have just installed Linux Mandrake 9.2 and am trying to familiarise myself with some commands at the moment.

I know for a fact that people can retreive my information very readily,,,and I doubt it is illegal,,so I would kind of like to know as this is a big shadow in my computer knowledge.

cheers

BTW. That flag on my avatar is not the Australian flag...how do i change that ?.

\"Those are my principles, and if you don\'t like them....well, I have others\"

Well, if it's an attacker you could get an ip from your firewall logs. That is, unless somehow they've gotten through your defenses Of course, any ip address you get will most likely be a proxy or the address of a zombie (a computer compromised by a cracker to use in attacks). But then again, there probably are some clueless script kiddies using their own computers. If you have an actual intrusion most likely a malicious attacker with any sense will alter your logs (if they have root access).

As far as your flag, try the edit your profile link on the front page.

My point is than an attacker will not make an ip address available to you. They will either be using a proxy or working through another computer that they have compromised. The only attacker you will get a valid ip address from will be one who doesn't know what they are doing.

For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)

this command should be already installed on your system. If not,
you can download it. You can capture the packets on your net
connection, both inbound and outbound. There's a steep learning curve,
but this will give you the ability to examine in detail, everything on the wire.

Originally posted here by dan_in_au WHAT DEFENSES
this information is usless,,any noob can look at firewall logs and get a bunch of bogus IP's that will not resolve ....

So.. Some IPs don't reverse resolve (from IP to hostname).. That doesn't mean they're bogus.. Whois is the name of the game.. That in combination with nslookup and/or dig will give you a huge amount of info..

Oliver's Law:
Experience is something you don't get until just after you need it.

Before you can become an internet dectective, you'd best learn about how networks are arranged, what ASNs are, what CIDR blocks are and so forth. If an IP doesn't resolve (many don't) it's not an indication of a bad address. Someone owns that IP so again, using tools already mentioned such as WHOIS will allow you to begin back tracing the source of the attack. Keep in mind that your emergency is meaningless to ASN operators. They may or may not cooperate with you.

--TH13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Use snort, or at the very least IPChains/Tables to help deter people I suppose. There isn't too much you can do about people port scanning you and such except close those ports, maybe recompile your favorite programs to give out less information. Perhaps try forwarding most "scan" packets to another PC so they recieve a completely different result than what they intended.